Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations

Transcription

1 Technical Report September 2005 Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations Eric D. Shaw Consulting & Clinical Psychology, Ltd. Lynn F. Fischer Defense Personnel Security Research Center Approved for Public Distribution: Distribution Unlimited Research Conducted by Defense Personnel Security Research Center

2 Report Documentation Page Form Approved OMB No Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE SEP REPORT TYPE N/A 3. DATES COVERED - 4. TITLE AND SUBTITLE Ten Tales of Betrayal: The Threat to Corporate Infrastructure by Information Technology Insiders Analysis and Observations 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Defense Personnel Security Research Center 99 Pacific Street, Suite 455-E Monterey, CA PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 11. SPONSOR/MONITOR S REPORT NUMBER(S) 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT SAR a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified 18. NUMBER OF PAGES 65 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

3

4 Technical Report September 2005 Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations Eric D. Shaw Consulting & Clinical Psychology, Ltd. Lynn F. Fischer Defense Personnel Security Research Center Released by James A. Riedel Director Defense Personnel Security Research Center 99 Pacific Street, Suite 455-E Monterey, CA

5

6

7 Preface This report provides an overview and analysis of 10 insider events that occurred prior to 2003 in infrastructure industries. It concludes with a set of observations that have clear implications for policies and management practices in government and industry. The 10 full case studies, authored by Eric D. Shaw, Ph.D., Consulting & Clinical Psychology, Ltd., are contained in another report that was issued as For Official Use Only in order to respect the confidentiality of private sector companies that were victimized by the offenders. These cases represent attacks against information systems that are essential for the functioning of national critical infrastructure industries. The threat to organizations in this category is obviously a Department of Defense (DoD) concern; however, insider attacks, not unlike those described here, have also occurred in military departments and Defense agencies. PERSEREC has been tracking events on the government side over the past 3 years and has a growing database of information on trust betrayal involving information systems. A subsequent summary of findings that pertain specifically to the Defense community will be issued at a later date. In the interim, case study work of the type and quality seen here is proving to be invaluable to our understanding of this behavior and of mitigating factors that we would recommend to minimize Defense systems vulnerabilities. The significance of the analysis of these events extends beyond a concern with the vulnerability of critical information technology (IT) systems. This is an attempt to understand one manifestation of the much larger insider threat to the DoD and the United States. Other dimensions of this threat include insider espionage concerning which PERSERC has had a long-term research interest and the insider threat associated with international terrorism that is only now emerging. These threats all stem from human problems and vulnerabilities that might be addressed in time to prevent damage or loss by an effective personnel security system working in harmony with employee assistance programs. For this reason, we are particularly interested in implications that focus on preemployment screening, monitoring on the job, and on how to deal with otherwise valuable personnel who are angry or disgruntled. James A. Riedel Director iii

8 iv

9 the expansion of standard pre-employment screening to detect this type of risk. The finding that several subjects had either committed the same or similar crimes before, or went on to repeat their violations, calls attention on the need for a system to track IT offenders better. Table 19 below summarizes these key findings and implications related to personnel management and insider risk. Table 19 Key Findings and Implications Related to Personnel Management Key Findings: Risk Factors Related to Personnel Management and Policy that Predict to Greater Vulnerability Gaps in personnel and security policies and practices High rates of personnel and security policy implementation and enforcement failures Lack of technical and human resources and education for policy enforcement Offender ability to avoid detection of policy and practice violations Failure of basic screening procedures Failure of traditional screening methods to detect at-risk online activities Tracking failures Implications Related to Personnel Management and Policy 13. Need for increased education and proliferation of personnel and security policies and practices, audits of policies and practices. 14. Need for increased education and proliferation of personnel and security policy implementation and enforcement methods, management training in enforcement practices, case management training, more reliable consequences for violations. 15. Improved education and awareness training regarding policy enforcement, improved enforcement auditing, increased corporate self-regulation of policy enforcement to avoid liability, government regulation and legislation. 16. Improved education and training of personnel and security personnel responsible for policy implementation and enforcement, and improved technical and human resources to assist these personnel. 17. Need to increase screening requirements. 18. Need to broaden and improve screening to improve detection of hacking and other at-risk, online activities and affiliations, use of security audits early in employment in absence of reliable screening methods. 19. Need to improve availability of information regarding past prosecuted and nonprosecuted violations for pre-employment screening. Criminal and Incident Investigations The patterns observed across these cases can potentially aid investigators of insider activity. While there may not be an insider personality profile to facilitate investigation, there are clear patterns in the combined personal backgrounds and work relationships that make these individuals stand out among their peers. The Proprietor and the Hacker perpetrator types provide even more detail on potential suspect characteristics. When partial information on suspects is available that fits these templates, they can provide further investigative guidance. The combination of personal characteristics and 44

10 problematic interactions in the workplace, identified in these case studies as risk indicators, could help narrow a field of suspects or assist investigators and prosecutors to select appropriate case management strategies. Future Research These results provided tentative support for the validity of the critical pathway model and the accompanying at-risk characteristics. The findings also lend support to the accuracy and relevance of the perpetrator typology categories. It would be useful to compare the patterns associated with the critical pathway and the perpetrator typologies to subjects in other types of trust betrayal, including insider espionage, fraud, and support for terrorist organizations. The research approach could be significantly improved in several ways. An increase in the frequency of subject interviews would fill out the story of these events and provide critical information on the relative balance of individual versus organizational factors that contribute to these episodes. However, these results indicate that subject interviews alone without workplace and investigator information and coworker interviews may result in a significant social desirability bias. The three subjects in this sample who agreed to interviews had very specific agendas for doing so. In these cases subject interviews were balanced by alternative views of the event provided by coworkers and supervisors which in many cases conflicted with those of the subject. The availability of alternate sources provided a deeper understanding of the motivations and behaviors associated with each event. The number of and variety of subjects available could be increased easily by expanding the geographic selection area beyond the Washington, DC, to the New York corridor. The research could be further improved by diversifying selection to include cases not handled by law enforcement. The absence of court findings would require strengthening of the criteria to validate the nature of the offense. These preliminary results suggest that there may be differences between criminal cases and those more numerous violations resolved without legal intervention. Expansion of the number of subjects would also allow for more robust data analysis, beyond the examination of trends. Educational Products Detailed case studies provide unique educational value. The level of human detail, the focus on seemingly normal workplace events, and the application of critical pathway analysis, can be used to sensitize peers, supervisors, and security personnel to insider risks and intervention opportunities. Potential educational and training opportunities and products derived from this research could include: 45

11 Live or taped interviews with subjects, investigators, coworkers and prosecutors from a specific case Classroom exercises written around actual case data that would allow participants to role-play interventions at different stages of a case as the risk of an insider attack increases over time Structured security and investigative class work utilizing the case patterns identified to help security personnel refine investigative strategies Improved red teaming 10 from the insider perspective Materials designed to help security personnel work more closely with Human Resources and employee assistance program staff to identify and appropriately intervene with employees at risk for insider activity Information designed to help security and counterintelligence personnel prioritize scarce resources to identify groups, as well as individuals, at-risk for insider activity. Summary The foregoing 19 specific findings and implications reflect a more limited set of central observations derived from these cases. The following can be considered the primary conclusions and lessons learned from this study that have obvious application to cases like those described here for personnel policy, personnel security practices, technical deterrents, and security education for employee populations. 1. There is a clear relationship between personal stress as well as adverse social climates and the level of risk for systems abuse. Reliance on software solutions or technical deterrents to cyber-crime tends to obscure the importance of addressing personal issues through management interventions and timely referrals to employee assistance programs when appropriate. What is going on in a trusted employee s life (whether it be threatened loss of employment, marital strife, or substance abuse) usually manifests itself in workplace behavior and attitudes. When that person is in control of an IT system, the risk is even greater. 2. Closely related to the above is the policy issue on how to deal with disgruntled employees who have access to critical information system. Most of the offenders in these case studies were disgruntled for one reason or another. They reacted to their perceptions of injustice by abusive online behavior. An employee who is expressing anger in the workplace is engaged in conflict with other employees, or otherwise behaving in a threatening manner needs immediate management intervention. Our cases, albeit limited in number, indicate that there is a time delay in management awareness of employee disgruntlement and therefore a limited window of opportunity for more effective management responsiveness to this challenge. In addition, our limited sample raises 10 Red teaming is a strategy for the testing of network defenses against intrusion or attack. A team of technical experts, given authorization to do so, attempts to break into a system from a remote location as would a group of hackers. 46

12 questions about the effectiveness of many management approaches once an intervention is attempted. These results and the high-risk levels in such situations argue for the establishment of strict human resources guidelines regarding reporting and intervention with such subjects. These results indicate the need to consider more intensive, multidisciplinary case management and planning, as well as such options as intensive monitoring, restriction on remote system access, counseling, or psychological evaluation to mitigate the threat of systems abuse by employees at risk. 3. Even where disgruntlement or stress are not factors, these cases indicate that an elevated vulnerability to abuse exists in organizations that permit systems administrators or other IT professionals exclusive or proprietary control over its information systems. Where the system administrator has a sense of ownership and possesses technical skills not shared by other members of the organization, a situation exists in which management has no supervisory oversight and may well be intimidated by the administrator. The solution to this vulnerability is to require some type of routine system audit or monitoring by an independent provider or shared responsibilities for IT functions within the organization by technically qualified persons. 4. Inadequate termination policies appear to have been a contributing factor in several cases studied here and in other insider events evaluated by the research team. Where termination of employment or temporary probation appears to be a necessary action in extreme cases, the organization must protect itself and its systems from acts of retribution. Immediate suspension of system access (remote and on site) as well as physical access to the workplace by a terminated employee may be warranted, particularly when that employee has had some level of functional control of the IT system. 5. While remote access to a critical information system can be justified as a convenience or as a necessity stemming from mission requirements, experience indicates that unmonitored remote access carries intensified risks to an IT system. System vulnerability is heightened by not suspending remote access privileges of an employee who is barred from the workplace, known to be disgruntled, or who has a history of disregarding security rules and procedures. 6. It is clear that some of the system abuse reported in these cases would not have occurred had there been effective pre-employment screening of job applicants, particularly in regard to past history of online and criminal behavior. Employers, whether in government or the private sector, face serious risks by hiring IT professionals based simply on personal recommendation or paper credentials. However, several of these cases indicate the inadequacy of standard background checks for detection of prior activities of concern which were not prosecuted or not part of the public record for example, hacker activity. This screening gap and the quickness with which several of these subjects violated information security protocols upon their arrival in the workplace argue for probationary audits of the computer activity of new IT employees. 47

13 7. A review of these cases in the private sector and of insider cyber-crime and abuse in DoD organizations shows that some of these damaging events could have been avoided by adequate security training, education, and awareness for employees having access to, or control over, critical information systems. Educational and awareness programs for the workforce and the timing of awareness communications may be geared to activate during periods of higher vulnerability for the organization or during a window of opportunity after signs of employee disgruntlement surface. 8. In some of these cases, the failure to alert management to at-risk subject behaviors can be attributed to gaps in security policy. Also seen was inadequate enforcement and follow-up to policy violations due to a lack of resources or personnel training. Several subjects were simply able to evade security policies because they had IT skills superior to those responsible for enforcement. The content of education and training to address these gaps should include not only technical vulnerabilities but also security policies, deterrent measures, coworker responsibilities, and consequences for systems and for offending employees resulting from insider abuse. The use of actual case studies such as those described in these companion reports can enhance the effectiveness of these educational efforts. 48

14 References Academy jurors get lesson in hacking during cadet s trial. (1999, March 16). Colorado Springs Gazette Telegraph. Air Force Academy dismisses cadet for hacking into computer. (1999, March 14). Chicago Tribune, p. 18. Briney, A. (2003). Best training tactics. Information Security, 6(12), 45. Burgess, A.W., Hartman, C.R., Ressler, R.K., Douglas, J.E., & McCormack, A. (1986). Sexual homicide: A motivational model. Journal of Interpersonal Violence, 1(3), Caruso, V.L. (2003). Outsourcing information technology and the insider threat. Unpublished master s thesis, Air Force Institute of Technology, Wright-Patterson Air Force Base, OH. Coast Guard beefs up security after hack. (1998, July 20). Computer World. Fischer, L.F. (2003). Characterizing information systems insider offenders. Proceedings of the 45 th Annual Conference of the International Military Testing Association, Pensacola, FL. Retrieved, 2003, Gudaitis, T. (1998). The missing link in information security: Three-dimensional profiling. CyberPsychology and Behavior, 1(4), Herbig, K.L., & Wiskoff, M.F. (2002). Espionage against the United States by American citizens Monterey CA: Defense Personnel Security Research Center. Kaarbo, J., & Beasley, R. (1999). A practical guide to the comparative case study method in political psychology. Political Psychology, 20(2), MSNBC. (2000, May 1). Stiff penalties sought for computer crime. Retrieved May 1, 2000, from html Magklaros, G.B., & Furnell, S.M. (2002). Insider threat prediction tool: Evaluating the misuse. Computers and Security, 21(1), Ressler, R., Burgess, A.W., & Douglas, J.E. (1980). Sexual homicide: Patterns and motives. FBI Law Enforcement Journal, 49(10), Schudel, G., & Wood, B. (1999). Modeling behavior of the cyber-terrorist. Proceedings from Countering Cyberterrorism Workshop. Marina del Rey, CA: University of Southern California, Information Sciences Institute. Retrieved December, 2004, from Schultz, E. (2002). A framework for understanding and predicting insider attacks. Computers and Security, 210,

15 Shannon, E., & Blackman, A. (2002). The spy next door: The extraordinary secret life of Robert Philip Hanssen, the most damaging FBI agent in U.S. history. New York: Little, Brown. Shaw, E.D. (2001, January). To fire or not to fire. Information Security, Shaw, E.D. (2002). Profiling corporate information technology insider risk. Washington, DC: Consulting & Clinical Psychology. Shaw, E.D. (2003). Saddam Hussein: Political psychological profiling results relevant to his possession, use and possible transfer of weapons of mass destruction (WMD) to terrorist groups. Studies in Conflict and Terrorism, 26, Shaw, E.D. (2004). The insider threat: Can it be managed? In Parker, T. (Ed.), Adversary characterization: Auditing the hacker mind. Rockland, MA: Syngress Publications. Shaw, E.D., Ruby, K.G., & Post, J.M. (1998a). Insider threats to critical information systems: Characteristics of the vulnerable critical information technology insider (CITI) (Tech. Rep. No. 2). Bethesda, MD: Political Psychology Associates. Shaw, E.D., Ruby, K.G., & Post, J.M. (1998b). The insider threat to information systems. Security Awareness Bulletin, 2 98, Shaw, E.D., Post, J.M., & Ruby, K.G. (1999, December). Inside the mind of the insider. Security Management, Shaw, E.D., Post, J.M., & Ruby, K.G. (2000, July). Managing the threat from within: The personnel security audit. Information Security, Shaw, E.D., & Stroz, E. (2004). WarmTouch software: The IDS of psychology. In Parker, T. (Ed.), Adversary characterization: Auditing the hacker mind. Rockland, MA: Syngress Publications. Shaw, E.D., & Fischer, L.F. (2005). Ten tales of betrayal: The threat to corporate infrastructures by information technology insiders; Report 2, case studies. (FOUO) Monterey, CA: Defense Personnel Security Research Center. Winerman, L. (2004). Criminal profiling: The reality behind the myth. Monitor On Psychology, 35(7), Woman gets five months for hacking; tampering ruined Coast Guard files (1998, June 20). The Washington Post. Wood, B.J. (2000). An insider threat model for adversary simulation. Menlo Park, CA: SRI International, Cyber Defense Research Center. Wood, S., & Fischer, L.F. (2002). Cleared DoD employees at risk Report 2. A study of barriers to seeking help. Monterey, CA: Defense Personnel Security Research Center. 50